House of Assembly - Fifty-Fifth Parliament, First Session (55-1)
2023-10-31 Daily Xml

Contents

Super SA Cybersecurity Incident

Mr COWDREY (Colton) (14:50): My question is to the Treasurer. Was the personal data of Super SA members uploaded to the dark web and, if so, when was the Treasurer notified of this?

The Hon. S.C. MULLIGHAN (Lee—Treasurer) (14:50): I think this has been the subject of significant questioning in a Budget and Finance select committee hearing last Monday where the Department of Treasury and Finance and Super SA officials were at pains to give a great deal of detail about the circumstances of this.

Just to recap for the benefit of members, in mid August the Department of the Premier and Cabinet, through some of its ongoing monitoring activities, became aware that there was a likely data breach involving a former third-party contractor to Super SA, and over the ensuing weeks there were efforts between DPC and Super SA to understand the extent to which that data had been accessed, what the data was, to verify whether members were impacted and also to understand specifically which members were impacted. Again, this was not arising from a breach of Super SA's ICT environment but a breach of a former third-party contractor's environment, Contact 121, who was engaged, I am advised, for a three-month period arising from a data breach that occurred in 2019.

Of course, as I think I have canvassed in here but as was also canvassed in the select committee hearing last Monday, it was the government's expectation and also the obligation, as far as I am aware, for that third-party contractor not to have maintained that information on its servers but nonetheless it had, and that provided the context for this breach to occur.

As I explained to the house when I was questioned about this last sitting week, I became aware of this incident on Thursday, I think it was, 12 October. Members were notified from 16 October on the following Monday, and, of course, as the committee heard in evidence from the officers appearing last Monday, when the original incident happened back in 2019 there was a nine-month delay between the incident first becoming—

Mr Cowdrey: Were you told on the 12th about the dark web?

The Hon. S.C. MULLIGHAN: This stands in stark contrast to how the matter was handled by the previous Liberal government where not only did the former Treasurer not say anything at all at any stage but it took Super SA many months to advise members.

So there seems to be one standard for the conservatives and another standard for everyone else, and in fact, Mr Speaker—

Members interjecting:

The SPEAKER: Order!

The Hon. S.C. MULLIGHAN: —you will recall very specifically me asking a question of the member for Dunstan when he was Premier about another cybersecurity incident, which occurred in November 2020, and the member for Dunstan declined to provide any information to the house, and instead—

Mr Cowdrey: So did you.

The SPEAKER: Order!

The Hon. S.C. MULLIGHAN: —said, 'We only comment on this—

Members interjecting:

The SPEAKER: Member for Colton, you are warned.

The Hon. S.C. MULLIGHAN: —if we feel that it's in the public interest.' So you've got the standards to which the Liberals hold themselves, down here, and then the standard to which they now—now that they are in opposition—seek to hold everyone else. The fact is, as I have already said, as unacceptable as the delays might have been for the members whose data was impacted, we strive to do better and we are doing better than those opposite.